1 / 61

Protecting Your Credit Card Security Environment (PCI)

Protecting Your Credit Card Security Environment (PCI). September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier, Dean & Howard, PLLC. Information Security Landscape.

galvin-hatfield
Download Presentation

Protecting Your Credit Card Security Environment (PCI)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier, Dean & Howard, PLLC

  2. Information Security Landscape In addition to legislation, why are information security programs, such as PCI, necessary?

  3. Information Security Landscape In addition to legislation, why are information security programs, such as PCI, necessary? What we have is not working

  4. Security – In The News • 9/26/12: New vulnerability in all modern versions of Java • 9/18/2012: New vulnerability in Internet Explorer affecting version 7, 8, and 9 on Windows XP, Windows Vista, Windows 7 • 8/28/2012: 1 Million account usernames, passwords, and sensitive data leaked in attack affecting banks and government agencies

  5. Security – In The News • Since January 2011: At least 12 Certification Authorities have been compromised • Sony – Started with lawsuit on 1/11/2011, hacks begin April 3, 2011, Asks consumers to waive class-action lawsuit rights on September 16 or give up access to service • RSA, Lockheed-Martin

  6. Source: TrustwaveSpiderlabs – Global Security Report 2011

  7. Source: TrustwaveSpiderlabs – Global Security Report 2011

  8. Source: TrustwaveSpiderlabs – Global Security Report 2011

  9. Source: TrustwaveSpiderlabs – Global Security Report 2011

  10. Source: TrustwaveSpiderlabs – Global Security Report 2011

  11. Source: Verizon 2011 Data Breach Investigations Report

  12. Study on Data Breaches • Verizon conducts an annual study of data breaches • The US Secret Service and Dutch High Tech Crime Unit provided the results of their data breach efforts which Verizon combined with their results • The study does not include cost analysis of data breaches, but rather, high-level analysis of root cause and perpetrator

  13. Source: Verizon 2011 Data Breach Investigations Report

  14. Source: Verizon 2011 Data Breach Investigations Report

  15. Source: Verizon 2011 Data Breach Investigations Report

  16. Source: Verizon 2011 Data Breach Investigations Report

  17. Source: Verizon 2011 Data Breach Investigations Report

  18. Source: Verizon 2011 Data Breach Investigations Report

  19. Source: Verizon 2011 Data Breach Investigations Report

  20. How did we arrive here? Individual card brands maintained their own security and compliance programs for merchants, processors, inc. • VISA Cardholder Information Security Program (CISP) • MasterCard Site Data Protection Program • American Express Data Security Operating Policy • Discover Information and Compliance • JCB Data Security Program

  21. Payment Card Industry (PCI): Security Standards Council (SSC) “The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) Requirements.”

  22. PCI SSC – Why? To help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise

  23. PCI – Key players • Merchant • Acquiring Bank; Issuing Bank • Cardbrand • Service Providers • Council

  24. PCI – Key players • QSA – Qualified Security Assessor • ISA – Internal Security Assessor • ASV – Approved Scanning Vendor • SAQ – Self-assessment Questionnaire • ROC – Report on Compliance

  25. PCI - Founding Global Card Brands • American Express • Discover Financial Services • JCB International • MasterCard Worldwide • Visa IncAll have agreed agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs.

  26. PCI Data Security Standard (DSS) • 12 Requirements – 250 Testing Procedures “PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data…”

  27. Cardholder Data Environment (CDE) • The CDE is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. • The PCI DSS security requirements apply to all system components (any network component, server, or application) that is included in or connected to the cardholder data environment.

  28. PCI Overview – Visa Merchant Levels

  29. PCI Overview – Merchant Validation

  30. PCI Overview – Merchant Validation

  31. PCI Overview – Visa Reporting

  32. PCI DSS 2.0 - Overview V2.0 released October 28, 2010

  33. Build and Maintain a Secure Network • Requirement 1: Install and maintain a firewall configuration to protect cardholder data • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

  34. Requirement 1 Highlights Install and maintain a firewall configuration to protect cardholder data • Standard configurations • Change control process • Placement & configuration • Minimum necessary • 6-Month review • Mobile software firewalls

  35. Requirement 2 Highlights Do not use vendor-supplied defaults for system passwords and other security parameters • Changing default passwords • Configuration hardening standards • Operating systems, databases, applications, etc. • System configuration • Minimum necessary

  36. Protect Cardholder Data • Requirement 3: Protect stored cardholder data • Requirement 4: Encrypt transmission of cardholder data across open, public networks

  37. Requirement 3 Highlights Protect stored cardholder data • Data retention and disposal policies • Minimum necessary • No Track data storage • No Card Verification Code (CVC)data storage • Card Primary Account Number (PAN) masking • PAN storage requirements / encryption • Documentation

  38. Requirement 4 Highlights Encrypt transmission of cardholder data across open, public networks • Transmission encryption • The Internet • Wireless technologies (WiFi) • Mobile (cell) technologies • Never send unencrypted using End-User Messaging technologies: • Email, instant messaging, SMS (texting)

  39. Maintain a Vulnerability Management Program • Requirement 5: Use and regularly update anti-virus software or programs • Requirement 6: Develop and maintain secure systems and applications

  40. Requirement 5 Highlights Use and regularly update anti-virus software or programs • Deployed on all systems • Commonly affected by malicious software • Yes – Windows • No – UNIX, Series i • Must be current / latest signatures

  41. Requirement 6 Highlights Develop and maintain secure systems and applications • Vendor supplied patches • Critical < 30 days • Less critical within 2 to 3 months • Establish process to identify new vulnerabilities • Custom development • Change control process • Secure coding / code review (OWASP Top 10) • No production PANs used in testing

  42. Implement Strong Access Control Measures • Requirement 7: Restrict access to cardholder data by business need-to-know • Requirement 8: Assign a unique ID to each person with computer access • Requirement 9: Restrict physical access to cardholder data

  43. Requirement 7 Highlights Restrict access to cardholder data by business need-to-know • Minimum necessary access to Cardholder Data Environment (CDE) • User provisioning process • Based on job classification / function • Default “deny all” configuration

  44. Requirement 8 Highlights Assign a unique ID to each person with computer access • All users must have a “Unique ID” and password for access to CDE • Two-factor authentication for remote users • Password / account management • Policy communication

  45. Requirement 9 Highlights Restrict physical access to cardholder data • Physical security monitoring (i.e. video cameras) • Physical access to system components • Physical access to network jacks • Employee and visitor identification • Visitor tracking • Backup media security, storage, tracking, destruction, etc.

  46. Regularly Monitor and Test Networks • Requirement 10: Track and monitor all access to network resources and cardholder data • Requirement 11: Regularly test security systems and processes

  47. Requirement 10 Highlights Track and monitor all access to network resources and cardholder data • Linking CDE access to the individual user • Automated audit trails • Actions taken • Logical access / creation, changing, deletion • Invalid logon attempts • Audit log review • Audit log retention • Time synchronization

  48. Requirement 11 Highlights Regularly test security systems and processes • Quarterly wireless access point testing • Scanning / Physical inspection / Wireless IDS • Quarterly vulnerability scans • External – Approved Scanning Vendor (ASV) • Internal – Internal staff or ASV • Annual penetration test (Internal and External) • Firewall and application • Intrusion Detection System (IDS) • File Integrity Monitoring

  49. Maintain an Information Security Policy • Requirement 12: Maintain a policy that addresses information security for all personnel

  50. Requirement 12 Highlights Maintain a policy that addresses information security for all personnel • Must address all PCI requirements • Reviewed annually • Usage policies • Responsibilities • Security awareness program • Employee screening • Service provider policies • Incident response plan

More Related